[openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

Brian Reichert reichert at numachi.com
Wed Nov 4 18:36:45 UTC 2015

On Wed, Nov 04, 2015 at 04:06:57PM +0100, Ben Humpert wrote:
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / documentation is here:
> https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
> Now" below the cover image). I also used various other sources to
> improve and adapt the configuration files and command lines.

IIRC correctly, you need to affect your ca.cf file to honor ('copy') the
extensions for a SAN.

Something like the detail here:


  Second, modify the signing parameters. Find this line under the CA_default

  # Extension copying option: use with caution.
  # copy_extensions = copy

  And change it to:

  # Extension copying option: use with caution.
  copy_extensions = copy

Brian Reichert				<reichert at numachi.com>
BSD admin/developer at large	

More information about the openssl-users mailing list